FS#42921 - [ca-certificates-mozilla] problems with Amazon S3
Attached to Project:
Arch Linux
Opened by Mantas Mikulėnas (grawity) - Thursday, 27 November 2014, 08:51 GMT
Last edited by Doug Newgard (Scimmia) - Friday, 28 November 2014, 21:00 GMT
Opened by Mantas Mikulėnas (grawity) - Thursday, 27 November 2014, 08:51 GMT
Last edited by Doug Newgard (Scimmia) - Friday, 28 November 2014, 21:00 GMT
|
Details
"s3.amazonaws.com" has a 4-certificate chain:
0: s3.amazonaws.com (Amazon.com Inc.) 1: ╚═VeriSign Class 3 Secure Server CA - G3 2: ╚═VeriSign Class 3 Public Primary Certification Authority - G5 3: └─VeriSign Class 3 Public Primary Certification Authority In the Mozilla CA list, both #2 and #3 are trusted, but the latter only for email. NSS supports this and stops at #2. Meanwhile, OpenSSL is hopeless and always validates _only_ the last certificate – and since #3 is now filtered out from ca-certificates.crt, the connection fails, even though #2 is still in that file. $ curl https://s3.amazonaws.com --cacert /etc/ca-certificates/extracted/openssl/ca-bundle.trust.crt curl: (60) SSL certificate problem: certificate not trusted Workaround: Ship the old Verisign_Class_3_Public_Primary_Certification_Authority.pem as a simple PEM file in "anchors". (Also at https://gist.github.com/grawity/15eabf67191e17080241) |
This task depends upon
Closed by Doug Newgard (Scimmia)
Friday, 28 November 2014, 21:00 GMT
Reason for closing: Fixed
Additional comments about closing: 3.17.2-3
Friday, 28 November 2014, 21:00 GMT
Reason for closing: Fixed
Additional comments about closing: 3.17.2-3
Related: https://lists.fedoraproject.org/pipermail/devel/2014-September/202127.html
Kinda somewhat related: https://bugzilla.redhat.com/show_bug.cgi?id=1144808